You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As a step towards moving codejail to its own service and containerizing edxapp, we could move to an intermediate approach where the LMS runs codejail executions on behalf of CMS. This would provide the following benefits:
CMS could be containerized independently of LMS (no need to do both at the same time).
We would exercise the remote-codejail pathway and have an opportunity to discover and implement needed improvements before fully building out a separate codejail service.
This would entail adding a new view in LMS and configuring CMS to call it, as well as adding some authorization code.
Implementation details:
"Send this to a remote codejail" is already implemented in xmodule/capa/safe_exec/remote_exec.py
Ideally, we should keep the request/response format and the path the same so that we don't need to add yet another remote-codejail code path or use an intermediary (API Gateway?) to adjust the request.
The new view needs to require authorization, particularly since execution parameters like unsafely are in play. We can adjust remote_exec.py to add a token on behalf of the cms service user.
Regardless of authorization, LMS should ignore the unsafely request parameter unless a new Django setting (maybe CODEJAIL_SERVICE_ALLOW_UNSAFE) is set to True. To my knowledge, 2U does not allow unsandboxed codejail execution. Any deployer who wants to allow this will need to explicitly opt in to this dangerous setting.
The text was updated successfully, but these errors were encountered:
This supports having an authenticated codejail service in general, but in
particular is to support the temporary use of the LMS as a codejail
service for the CMS: #33538
The new settings are all optional, and if not provided, the current
behavior does not change.
timmc-edx
added a commit
to edx/edx-arch-experiments
that referenced
this issue
Jan 11, 2024
A/C:
As a step towards moving codejail to its own service and containerizing edxapp, we could move to an intermediate approach where the LMS runs codejail executions on behalf of CMS. This would provide the following benefits:
This would entail adding a new view in LMS and configuring CMS to call it, as well as adding some authorization code.
Implementation details:
xmodule/capa/safe_exec/remote_exec.py
unsafely
are in play. We can adjust remote_exec.py to add a token on behalf of the cms service user.unsafely
request parameter unless a new Django setting (maybeCODEJAIL_SERVICE_ALLOW_UNSAFE
) is set to True. To my knowledge, 2U does not allow unsandboxed codejail execution. Any deployer who wants to allow this will need to explicitly opt in to this dangerous setting.The text was updated successfully, but these errors were encountered: